After being frustrated with the lousy quality of the ISP provided (especially the Westell variety) WiFi routers, I decided to give DD-WRT a try. My research pointed me in the direction of the Asus RT-N12 router since it's very well supported by DD-WRT and it's very cheap: less than $40 shipped from NewEgg.
My setup is probably more complex than most, but it still applies to the typical home setup:
- An internal system that serves internal DHCP, DNS, and external SSH/SOCKS proxy
- An ISP provided internet router with DHCP disabled.
- A WiFi-N Access Point (AP) on the A-band (5GHz)
- A WiFi-N AP on the B/G band (2.4GHz)
With the exception of the external SSH server and SOCKS proxy, a typical home setup using an ISP supplied WiFi router would play all of those roles, which is fine. In my case, what I want to do is replace the B/G 2.4 AP with the DD-WRT unit that would provide wireless access to the internal network on the B/G/N band, plus create a separate password-protected SSID for friends with a completely different IP range than the internal network, and with public DNS servers. The end effect being that devices connected to the "friend" band would have internet access, but would be able to access the internal systems. Also, the 'friend' access network would be capped at 1.5 Mbps (DSL speed), which is more than adequate for the usual e-mail, Facebook, etc. access. The other benefit of this is that I would not have to give my internal WiFi access password to anyone, and can change the 'friend' password at any time without having to re-do the internal systems.
Step 1: Install DD-WRT on the router
The DD-WRT wiki has plenty of information on how to do this, but essentially it comes down to:
- Download the DD-WRT firmare for your router (I chose NEWD-k2.6-mini generic)
- Download the tools from Asus
- Set the router in recovery mode
- Use the Asus recovery tool to install DD-WRT
(1) - It is recommended that you use Internet explorer for the initial setup. I don't know why, but that's the recommendation.
(2) - Most internal home IP ranges start with either 192.168.0 or 192.168.1. If yours is the latter, you will need to make some (temporary) changes to your IP setup. The Asus router defaults to 192.168.0.1, so make sure the PC you are using to set up the router is set to a fixed address like 192.168.0.10. On a PC, the steps are pretty simple:
From the "Network and sharing center", select your LAN connection, then click on the Properties button:
then, select the IPV4 protocol and click on properties:
Change the settings from your default (probably this):
to look like this:
Click Ok until all the property windows are closed.
Now, connect your router and follow the wiki instructions to start it in recovery mode to you can install the DD-WRT firmware.
Step 2: Configure the Router for the internal network
Note: I like the concept of using the unit as an access point rather than a router, simply because I'm happy with my current router. These instructions are for an AP setup. If you rather use the unit as a router, then consult the wiki. The unit's mode (AP or router) is not important for the dual WiFi setup.
The first thing you need to do is set up a root password. the username is root, and pick your password. Then save the changes. Now, configure your IP address setup to match your default network. Click on the Setup tab and set the Wan connection type to disabled.
My network is 192.168.1 based, so I gave mine a high-enough number:
Also, make sure the gateway and local DNS points to your router's IP. Note: my local DNS is not my router. That is why they don't match in the picture.
Enable the DHCP server on the unit, but set it to have zero maximum DHCP users. On the server configuration, put any number you want for the start IP address, and set the static DNS entries to your router's IP address. You will probably need just one, unlike me. It is also important to enable dnsmasq for DNS and DHCP.
(Note: As of 2011-Sep-08 This "no dhcp" lease setup is not working 100% reliably for me. I will post an update when I find a way to resolve it)
Another important side note: If you plan to use this as your actual DHCP server, then do not use zero for the Maximum DHCP users box. 50 is probably more than adequate. In this scenario, I would select a start IP address of maybe 128.
Also, I strongly recommend you set up a time server:
The reason you need the DHCP server enabled (even though in my case it will not provide any addresses) is because you need a DHCP server set up for the 'friend' WiFi network. If the main DHCP server is not enabled, the secondary one will not work either. Click on the "Apply Settings" button, then the Save button.
A very important note: If you changed the IP settings to match your current network, you will need to reset your LAN setting back to the defaults (DHCP). Look at the first three pictures above.
Now, set up your private wireless network.
Select the Wireless tab at the top of the page. in the Basic Settings, set your wireless mode to AP. Give your internal WiFi network a name. I picked "PrivateWifi" for this example:
If your page does not show a virtual interface, click on the Add button, then give it a name "FriendWifi" for this example. Then (you guessed it) click on Apply settings and then on Save.
Now, secure your networks:
Go to the "Wireless Security" tab and select WPA2 Personal mixed, TKIP+AES, then your password. Repeat for the 'friend' network, but use a different password! :) Do the now familiar Apply + Save.
You should try to connect to your private WiFi network and make sure you can get out to the internet, etc. The public WiFi network is not yet ready to be tested. We will do that one later.
Step 3: Configure the Router for the "friend" network.
In order for this to work, the key portions needed are:
- Create a network bridge and assign it to the virtual interface.
- Give the bridged network a completely different IP network number than your internal network.
- Enable DHCP for the bridged network with DNS settings that have no relation to your internal network
- Set up a firewall rule so that the bridged network can actually get out to the internet (very important!)
Select the Setup tab, then select the "Networking" sub-tab. On the Bridging section, click on "add" to create Bridge 0. Set the IP address to something other than what you're using. For example I selected 192.168.10.1
Use 255.255.255.0 for a netmask. Now, assign the bridge to the virtual wireless (wl0.1):
On the Port setup section, enter the same IP address and netmask you used in the "Create Bridge section":
On the DHCP section, enable a DHCP server for the bridged network (br1):
The example above is configured to provide a max of 10 simultaneous IP addresses on the friend network, starting with IP address 192.168.10.50. You can tweak those numbers as needed. I haven't found myself needing more than 10 friends to connect at the same time, so that max was good for me.
To setup the DNS on the friend network, pick a public DNS server, such as Google or OpenDNS. I picked Google. The DNS servers for my location are 8.8.8.8 and 8.8.4.4. Do a search for "Google dns" to find out what addresses are correct for you. Mine will work, but they may not be the best servers for your location.
To accomplish this, go to the "Services" tab to enable the DNSmasq service and feed it some parameters, like this:
To accomplish this, go to the "Services" tab to enable the DNSmasq service and feed it some parameters, like this:
Since you cannot cut and paste the text from the image, here it is:
interface=br1
dhcp-option=br1,6,8.8.8.8,8.8.4.4,4h
What that means is that the DHCP server is for the bridged lan (br1), with dns servers 8.8.8.8 and 8.8.4.4 and each IP has a max 4 hour lease time. Now, do the usual apply+save steps.
At this point, you should be able to connect to the friend network and verify that you get an IP address that starts with 192.168.10. (if you used my settings verbatim). If you click on the connection details, the DNS servers should be 8.8.8.8 and 8.8.4.4 (again, if you used my settings), and your gateway should be the IP address of the unit (the first thing you did after installing DD-WRT). Note that you will not be able to get out to the internet just yet.
There is one final step to do: the firewall. Since you need a custom rule to ensure the bridged traffic can get to the internet, you have to manually enter the rule.
Select the "Administration" tab, then the "Command sub-tab". In the command box, enter these two lines:
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
Then, click on "Run commands" to test that you can now access the internet. Once you're satisfied, click on "Save firewall". There are more complex examples in the wiki page. I think this setting is probably the most suitable for you. What the rules are doing is allowing the bridge traffic to flow through the physical (private) connection, and blocking any traffic from the public network going to the private network.
At this point, you can save your settings somewhere safe, and you're pretty much done. Congrats!
Step 4: Extra credit
This part is optional, but I would recommend it: Limit the amount of bandwidth the public network can use. The benefit of this is that while you're being a good friend by sharing your 'net pipe, you are also ensuring that your private systems have enough available bandwidth at all times.
In my scenario, I chose to cap the download speeds at DSL speed (1.5mbit). I have a FIOS connection, so that amount is a small percentage of my available speed. If you happen to have only a DSL line, then drop the value accordingly. I would make sure you cap the public network at no more than 50% of your available pipe.
If you're not sure how fast your 'net speed actually is, do a search for "internet speed test" or try www.speedtest.net. Use those numbers to determine the values you use for the uplink and downlink entries.
So, here is my setup:
On the Nat/QoS tab, select the QoS sub-tab. On the QoS settings, enable QoS for Lan & Wlan. Set up your uplink speed to (again) no more than 30% of what's available to you. Set up your downlink speed to no more than 50% of what you have.
Friends care primarily about e-mail, facebook, web, etc. None of those services require fast uplink speeds.
On the "Netmask Priority" section, there should be two IP/mask entries: One is your private network, and the other is the friend network. If one or more of the entries are missing, add them using the entry fields and click on the "Add" button. Set your private network entry with an Exempt priority, and your public network with a Bulk priority.
As always, do the Apply+Save button combo.
I know it looks like a lot, but it is not. you can have the whole thing set up from unwrapping the unit to configuring it in less than 20 minutes. There are a few gotchas along the way, but I don't think it is too bad. My setup took longer because of my unorthodox setup, and because I wanted to have a fixed bandwith for the public network.
Enjoy!